Award-winning news, views, and insight from the ESET security community

1,500 iOS apps open to simple man-in-the-middle attacks

Around 1,500 apps for iPhone and iPad contain an HTTPS vulnerability making it 'trivial' for hackers to perform man-in-the-middle attacks to steal passwords, bank details and other private information.

Around 1,500 apps for iPhone and iPad contain an HTTPS vulnerability making it ‘trivial’ for hackers to perform man-in-the-middle attacks to steal passwords, bank details and other private information.

Around 1,500 apps for iPhone and iPad contain an HTTPS vulnerability making it ‘trivial’ for hackers to perform man-in-the-middle attacks to steal passwords, bank details and other private information.

The bug was uncovered by SourceDNA, Cult of Mac reports, and is a weakness in the open source AFNetworking code library that some developers put into their apps to add networking capabilities. While the vulnerability has been fixed within AFNetworking in version 2.5.2, not all affected apps have been updated to the latest version, leaving them open to attack.

SourceDNA scanned 1.4 million apps in the App Store to find those still affected, and while the 1,500 uncovered is a relatively small proportion of the total number, users of unpatched apps could have their data intercepted in a man-in-the-middle attack.

Usually a fake secure socket layer certificate would be detected, causing the connection to be instantly dropped, but researchers found that due to a logic error in the code, a validation check is not carried out. This means that fraudulent certificates are trusted by apps running version 2.5.1 of AFNetworking.

“The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates,” the researchers wrote. “We tested the app on a real device and, unexpectedly, we found that all the SSL traffic could be regularly intercepted through a proxy like Burp without any intervention!”

As of Monday, a number of high profile apps including Citrix OpenVoice Audio Conferencing, the Alibababa mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0 and Revo Restaurant Point of Sale were still using the vulnerable version of AFNetworking, reports Ars Technica. The list was longer, but apps by companies such as Microsoft, Yahoo and Uber were patched following a private disclosure to developers.